[jboss-user] [Security & JAAS/JBoss] - Re: Repeated calls to LoginModule for EJB authentication

brownjamese do-not-reply at jboss.com
Thu Feb 8 14:51:52 EST 2007


Interesting and odd log entries - especially since I don't know what a good "run" should look like.  I followed the security FAQ and added the necessary log4j config entries.  After trundling through the info, I still see:
* multiple access to the login module's login() method; and
* inserts into the cache with different subject reference Id

For example, I see the actual login:

  | 2007-02-08 14:58:03,121 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null
  | 2007-02-08 14:58:03,322 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true
  | 2007-02-08 14:58:03,322 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: U174791 is authenticated
  | 2007-02-08 14:58:03,332 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
  | 	Principal: Roles(members:xxx,yyy,zzz)
  | 	Principal: U174791
  | , sc=org.jboss.security.SecurityAssociation$SubjectContext at 7c7d85{principal=U174791,subject=18143033}
  | 

Then access to the next URL, where the "hit" on the web app checks (and finds) the subject in cache:
2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]  Checking for SSO cookie
  | 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]  Checking for cached principal for D5612028A309EA8A4A5889D393B6251A
  | 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]  Found cached principal 'U174791' with auth type 'FORM'
  | 

But then access from web-app to EJB to EJB in another ear (all with same jaas policy configured) produces:

  | 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791
  | 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 7aed3a{principal=U174791,subject=null}
  | 2007-02-08 14:59:09,928 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
  | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791
  | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject:
  | 	Principal: Roles(members:xxx,yyy,zzz)
  | 	Principal: U174791
  | , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo at b05409[Subject(23167560).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791),credential.class=java.lang.String at 23438274,expirationTime=1170961028413], activeUsers=0
  | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject:
  | 	Principal: Roles(members:xxx,yyy,zzz)
  | 	Principal: U174791
  | , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo at b05409[Subject(23167560).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791),credential.class=java.lang.String at 23438274,expirationTime=1170961028413]
  | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null
  | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, principal=U174791
  | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(acol-core-policy), size=10
  | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(acol-core-policy), authInfo=AppConfigurationEntry[]:
  | [0]
  | LoginModule Class: ca.acol.core.security.login.JBossLoginModule
  | ControlFlag: LoginModuleControlFlag: sufficient
  | Options:name=auth_ds, value=auth
  | 
  | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, lc=javax.security.auth.login.LoginContext at 1be9101, subject=Subject(2223107).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791)
  | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] updateCache, inputSubject=Subject(2223107).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791)
  | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 31ac05[Subject(17676813).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791),credential.class=java.lang.String at 23438274,expirationTime=1170961148415]
  | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true
  | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
  | 	Principal: Roles(members:xxx,yyy,zzz)
  | 	Principal: U174791
  | , sc=org.jboss.security.SecurityAssociation$SubjectContext at 11492ed{principal=U174791,subject=28983194}
  | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
  | 
  | 

Just to clarify wars/jars/ears involved:

.ear
   - .war  - struts-based web application
   - .jar  - contains application-specific EJBs

payment.ear
  - payment.jar - real-time payment interface

.war invokes .jar to perform custom workflow, including payment.  Thus .jar calls EJBs in .jar.

Various incantations of security-domain have been used all with the same application policy.  Log snippets above are from  with .war and payment.jar with the security-domain set to acol-core-policy.  I have tried adding the same security policy to .jar, but that just increases the number of re-authentication calls.

-- James
-

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013244#4013244

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4013244



More information about the jboss-user mailing list